When preparing an RFP or RFI for a possible project, many companies pay close attention to the requirements that the software vendors need to fulfill. Here, certifications of or compliance with specific standards are usually of special interest. Some are industry standards or even legally binding (e.g. EU GDPR compliance), but others are subject to the company’s own strategy and policies: Which standards are mandatory and which ones are “nice to have”?

The question is not that easy to answer, as the need to fulfill certain requirements depends on several factors:

• How important are certifications generally for your decision-making process?
• Is compliance good enough or do you require a certificate?
• Which certifications are legally binding?
• Which general certifications apply to you?
• Which industry-specific certifications do you need to take into account?
• Are there any regional certifications for the locations in which you are operating?

Let’s take a closer look.

In the very beginning, you have to assess the importance of certifications for your project, also with regard to the vendors that will make it onto your shortlist. Do you want to set certain certifications as mandatory selection criteria? If so, you need to break this down into the following: which certificates are legally binding, e.g. EU GDPR? Which certificates are important to your business? Which ones are optional?

Once you have compiled a list of (relevant) certifications, you can review those that are not legally binding and decide if you want the vendors to provide actual certificates or if you are comfortable with them providing evidence that they comply with certain standards.

When reviewing the relevant certificates you may come to the point where you need to ask yourself: do the vendors you are looking at necessarily need to be certified or is compliance with certain standards good enough? The route to certification can be time- and budget-consuming. This is why some vendors go for the most important certificates in the first place while “only” complying with others. This doesn’t mean that they don’t meet the criteria; rather, they allocate their resources and set priorities differently. Here, some vendors instead focus, for example, on providing the best possible service during the project or they aim to free up resources otherwise needed for certification processes. It’s a good idea to determine if certifications from your vendor are needed to solidify trust or if other evidence for compliance works just fine.

Depending on your business model and the industry or market you are operating in, some certificates or declarations of compliance are required. For example, EU GDPR compliance is compulsory, regardless of the market (as long as you conduct business with or in the EU) or industry. Due to the nature of this regulation, you will see that probably all ECM vendors you are considering will be EU GDPR compliant and most of them will offer solutions which ensure that your company acts in line with the EU GDPR. In the next step, you will need to research if there are other legally binding requirements that apply to your market, industry or the enterprise content management platform you plan to implement.

There are several certifications that could be relevant for your organization’s content and process management. Some deal with digitalization: from the quality management standpoint of the vendor (ISO 9001-2015); others address electronic signature standards, eInvoicing or document retention (ISO 16175-2). The importance of certifications like these depend significantly on the way you want to put content management into use at your company. Therefore, they need to be reviewed in accordance with your broader content management strategy and requirements. Here, an independent consultant or your ECM vendor can consult you if needed.

To ensure country-specific certifications are properly met, you need to create an overview of local requirements. SOC2 is a common standard in the US for example. It covers information security in a cloud/SaaS environment. It mainly applies to vendors and ensures that they have proper measures in place to secure information and data safety. Another example: In Germany general accounting standards (GoBD) are important for accounting and invoicing. The NEN 2082 certificate from the Netherlands makes sure that the processes for information capture, retention and deletion are compliantly secured. In Russia, FSTEK is an important certificate for data protection and is a requirement for vendors wanting to operate in that region.

As the standards and certifications may vary between industry, location and use case, you need to create your very own list that reflects what is important to your organization. Once you have compiled your overview and set priorities, you are ready to see which vendors can help you the best.

At the SER Group, we have numerous certifications in place and are compliant with even more. We are constantly reviewing certifications to gain and renew the ones we have. We offer certificates and compliance with standards on an international level, including industry and sector standards. Get in touch with us to learn more. We are happy to consult you on your certification strategy.